Personal Health Information Protection Act, 2004, S.O. 2004, C. 3, Sched. A

Personal Health Information Protection Act, 2004

S.O. 2004, CHAPTER 3
Schedule A

Historical version for theperiod November 1, 2017 to December 11, 2017.

Last amendment:2017, c. 14, Sched. 4, s. 28.

Legislative History: 2005, c. 25, s. 35;2006, c. 4, s. 51;2006, c. 17, s. 253; 2006, c. 21, Sched. C, s. 128; 2006, c. 34, Sched. C, s. 26;2007, c. 8, s. 224; 2007, c. 10, Sched. H;2007, c. 10, Sched. K, s. 32; 2007, c. 10, Sched. P, s. 19;2009, c. 33, Sched. 18, s. 25;2010, c. 11, s. 128; 2016, c. 6, Sched. 1, s. 1; 2016, c. 23, s. 64; 2016, c. 30, s. 43; 2017, c. 14, Sched. 4, s. 28.

CONTENTS

PART I
INTERPRETATION AND APPLICATION
Purposes, Definitions and Interpretation
1. / Purposes
2. / Definitions
3. / Health information custodian
4. / Personal health information
5. / Substitute decision-maker
6. / Interpretation
Application of Act
7. / Application of Act
8. / Freedom of information legislation
9. / Non-application of Act
PART II
PRACTICES TO PROTECT PERSONAL HEALTH INFORMATION
General
10. / Information practices
11. / Accuracy
11.1 / Steps to ensure collection
12. / Security
Records
13. / Handling of records
14. / Place where records kept
Accountability and Openness
15. / Contact person
16. / Written public statement
17. / Agents and information
17.1 / Notice to governing College
PART III
CONSENT CONCERNING PERSONAL HEALTH INFORMATION
General
18. / Elements of consent
19. / Withdrawal of consent
20. / Assumption of validity
Capacity and Substitute Decision-Making
21. / Capacity to consent
22. / Determination of incapacity
23. / Persons who may consent
24. / Factors to consider for consent
25. / Authority of substitute decision-maker
26. / Incapable individual: persons who may consent
27. / Appointment of representative
28. / Transition, representative appointed by Board
PART IV
COLLECTION, USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION
General Limitations and Requirements
29. / Requirement for consent
30. / Other information
31. / Use and disclosure of personal health information
32. / Fundraising
33. / Marketing
34. / Health cards and health numbers
35. / Fees for personal health information
Collection
36. / Indirect collection
Use
37. / Permitted use
Disclosure
38. / Disclosures related to providing health care
39. / Disclosures for health or other programs
40. / Disclosures related to risks
41. / Disclosures for proceedings
42. / Disclosure to successor
43. / Disclosures related to this or other Acts
44. / Disclosure for research
45. / Disclosure for planning and management of health system
46. / Monitoring health care payments
47. / Disclosure for analysis of health system
48. / Disclosure with Commissioner’s approval
49. / Restrictions on recipients
50. / Disclosure outside Ontario
PART V
ACCESS TO RECORDS OF PERSONAL HEALTH INFORMATION AND CORRECTION
Access
51. / Application of Part
52. / Individual’s right of access
53. / Request for access
54. / Response of health information custodian
Correction
55. / Correction
PART V.1
ELECTRONIC HEALTH RECORD
55.1 / Interpretation
55.2 / Electronic health record
55.3 / Requirements for electronic health record
55.4 / Minister’s directives
55.5 / Collection, use, disclosure by custodians
55.6 / Consent directives
55.7 / Consent overrides
55.8 / Medication interaction checks
55.9 / Collection of information by Ministry
55.10 / Provision of information for purposes other than health care
55.11 / Advisory committee
55.12 / Practices and procedures review
55.13 / Protection from liability for health information custodian
55.14 / Regulations
PART VI
ADMINISTRATION AND ENFORCEMENT
Complaints, Reviews and Inspections
56. / Complaint to Commissioner
57. / Response of Commissioner
58. / Commissioner’s self-initiated review
59. / Conduct of Commissioner’s review
60. / Inspection powers
61. / Powers of Commissioner
62. / Appeal of order
63. / Enforcement of order
64. / Further order of Commissioner
65. / Damages for breach of privacy
Commissioner
66. / General powers
67. / Delegation
68. / Limitations re personal health information
69. / Immunity
PART VII
GENERAL
70. / Non-retaliation
71. / Immunity
72. / Offences
73. / Regulations
74. / Public consultation before making regulations
75. / Review of Act

part i
INTERPRETation and application

Purposes, Definitions and Interpretation

Purposes

1The purposes of this Act are,

(a)to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;

(b)to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act;

(c)to provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in this Act;

(d)to provide for independent review and resolution of complaints with respect to personal health information; and

(e)to provide effective remedies for contraventions of this Act. 2004, c.3, Sched.A, s.1.

Definitions

2In this Act,

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated; (“mandataire”)

“Assistant Commissioner” means the Assistant Commissioner for Personal Health Information appointed under the Freedom of Information and Protection of Privacy Act; (“commissaire adjoint”)

“attorney for personal care” means an attorney under a power of attorney for personal care made in accordance with the Substitute Decisions Act, 1992; (“procureur au soin de la personne”)

“attorney for property” means an attorney under a continuing power of attorney for property made in accordance with the Substitute Decisions Act, 1992; (“procureur aux biens”)

“Board” means the Consent and Capacity Board constituted under the Health Care Consent Act, 1996; (“Commission”)

“capable” means mentally capable, and “capacity” has a corresponding meaning; (“capable”, “capacité”)

“collect”, in relation to personal health information, means to gather, acquire, receive or obtain the information by any means from any source, and “collection” has a corresponding meaning; (“recueillir”, “collecte”)

“Commissioner” means the Information and Privacy Commissioner appointed under the Freedom of Information and Protection of Privacy Act; (“commissaire”)

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning; (“divulguer”, “divulgation”)

“guardian of property” means a guardian of property or a statutory guardian of property under the Substitute Decisions Act, 1992; (“tuteur aux biens”)

“guardian of the person” means a guardian of the person appointed under the Substitute Decisions Act, 1992; (“tuteur à la personne”)

“health care” means any observation, examination, assessment, care, service or procedure that is done for a healthrelated purpose and that,

(a)is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition,

(b)is carried out or provided to prevent disease or injury or to promote health, or

(c)is carried out or provided as part of palliative care,

and includes,

(d)the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and

(e)a community service that is described in subsection 2 (3) of the Home Care and Community Services Act, 1994 and provided by a service provider within the meaning of that Act; (“soins de santé”)

“health care practitioner” means,

(a)a person who is a member within the meaning of the Regulated Health Professions Act, 1991 and who provides health care,

(b)Repealed: 2007, c. 10, Sched. P, s. 19.

(c)a person who is a member of the Ontario College of Social Workers and Social Service Workers and who provides health care, or

(d)any other person whose primary function is to provide health care for payment; (“praticien de la santé”)

“health information custodian” has the meaning set out in section 3; (“dépositaire de renseignements sur la santé”)

“health number” means the number, the version code or both of them assigned to an insured person within the meaning of the Health Insurance Act by the General Manager within the meaning of that Act; (“numéro de la carte Santé”)

“incapable” means mentally incapable, and “incapacity” has a corresponding meaning; (“incapable”, “incapacité”)

“individual”, in relation to personal health information, means the individual, whether living or deceased, with respect to whom the information was or is being collected or created; (“particulier”)

“information practices”, in relation to a health information custodian, means the policy of the custodian for actions in relation to personal health information, including,

(a)when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and

(b)the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information; (“pratiques relatives aux renseignements”)

“local health integration network” means a local health integration network as defined in section 2 of the Local Health System Integration Act, 2006; (“réseau local d’intégration des services de santé”)

“Minister” means the Minister of Health and Long-Term Care; (“ministre”)

“Ministry” means the Ministry of Health and Long-Term Care; (“ministère”)

“partner” means either of two persons who have lived together for at least one year and have a close personal relationship that is of primary importance in both persons’ lives; (“partenaire”)

“person” includes a partnership, association or other entity; (“personne”)

“personal health information” has the meaning set out in section 4; (“renseignements personnels sur la santé”)

“prescribed” means prescribed by the regulations made under this Act; (“prescrit”)

“prescribed organization” means the organization prescribed for the purposes of Part V.1 and, if more than one organization is prescribed, means every applicable prescribed organization; (“organisation prescrite”)

“proceeding” includes a proceeding held in, before or under the rules of a court, a tribunal, a commission, a justice of the peace, a coroner, a committee of a College within the meaning of the Regulated Health Professions Act, 1991, a committee of the Board of Regents continued under the Drugless Practitioners Act, a committee of the Ontario College of Social Workers and Social Service Workers under the Social Work and Social Service Work Act, 1998, an arbitrator or a mediator; (“instance”)

“quality of care information” has the same meaning as in the Quality of Care Information Protection Act, 2004; (“renseignements sur la qualité des soins”)

“record” means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record; (“dossier”)

“relative” means either of two persons who are related to each other,including through marriage or adoption; (“membre de la famille”)

“research” means a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of them, and includes the development, testing and evaluation of research; (“recherche”)

“researcher” means a person who conducts research; (“chercheur”)

“research ethics board” means a board of persons that is established for the purpose of approving research plans under section 44 and that meets the prescribed requirements; (“commission d’éthique de la recherche”)

“spouse” means either of two persons who,

(a)are married to each other, or

(b)live together in a conjugal relationship outside marriage and,

(i)have cohabited for at least one year,

(ii)are together the parents of a child, or

(iii)have together entered into a cohabitation agreement under section 53 of the Family Law Act,

unless they are living separate and apart as a result of a breakdown of their relationship; (“conjoint”)

“substitute decision-maker” has the meaning set out in section 5; (“mandataire spécial”)

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or otherwise deal with the information, subject to subsection 6 (1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning. (“utiliser”, “utilisation”) 2004, c.3, Sched.A, s.2; 2006, c.4, s.51(1); 2007, c.8, s.224(1); 2007, c. 10, Sched. P, s. 19; 2016, c. 6, Sched. 1, s. 1 (1, 2); 2016, c. 23, s. 64 (1).

Section Amendments with date in force (d/m/y)

2006, c.4, s.51(1) - 28/03/2006

2007, c.8, s.224(1) - 01/07/2010; 2007, c. 10, Sched. P, s. 19 - 01/07/2015

2016, c. 6, Sched. 1, s. 1 (1, 2) - 03/06/2016; 2016, c. 23, s. 64 (1) - 05/12/2016

Health information custodian

3(1)In this Act,

“health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

1.A health care practitioner or a person who operates a group practice of health care practitioners.

2.A service provider within the meaning of the Home Care and Community Services Act, 1994 who provides a community service to which that Act applies.

3.Repealed:2016, c. 30, s. 43 (1).

4.A person who operates one of the following facilities, programs or services:

i.A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Actor an independent health facility within the meaning of the Independent Health Facilities Act.

ii.A long-term care home within the meaning of the Long-Term Care Homes Act, 2007, a placement co-ordinator described in subsection 40 (1) of that Act, or a care home within the meaning of the Residential Tenancies Act, 2006.

ii.1a retirement home within the meaning of the Retirement Homes Act, 2010.

iii.A pharmacy within the meaning of Part VI of the Drug and Pharmacies Regulation Act.

iv.A laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act.

v.An ambulance service within the meaning of the Ambulance Act.

vi.A home for special care within the meaning of the Homes for Special Care Act.

vii.A centre, program or service for community health or mental health whose primary purpose is the provision of health care.

5.An evaluator within the meaning of the Health Care Consent Act, 1996 or an assessor within the meaning of the Substitute Decisions Act, 1992.

6.A medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act.

7.The Minister, together with the Ministry of the Minister if the context so requires.

8.Any other person prescribed as a health information custodian if the person has custody or control of personal health information as a result of or in connection with performing prescribed powers, duties or work or any prescribed class of such persons. 2004, c.3, Sched.A, s.3(1); 2006, c.17, s.253; 2007, c.8, s.224(2-4); 2007, c.10, Sched.H, s.1; 2009, c.33, Sched.18, s.25(1);2010, c.11, s.128; 2016, c. 30, s. 43 (1).

(2)Repealed: 2009, c.33, Sched.18, s.25(2).

Exceptions

(3)Except as is prescribed, a person described in any of the following paragraphs is not a health information custodian in respect of personal health information that the person collects, uses or discloses while performing the person’s powers or duties or the work described in the paragraph, if any:

1.A person described in paragraph 1, 2 or 5 of the definition of “health information custodian” in subsection (1) who is an agent of a health information custodian.

2.A person who is authorized to act for or on behalf of a person that is not a health information custodian, if the scope of duties of the authorized person does not include the provision of health care.

3.The Minister when acting on behalf of an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is not a health information custodian. 2004, c.3, Sched.A, s.3(3).

Other exceptions

(4)A health information custodian does not include a person described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the work described in the paragraph:

1.An aboriginal healer who provides traditional healing services to aboriginal persons or members of an aboriginal community.

2.An aboriginal midwife who provides traditional midwifery services to aboriginal persons or members of an aboriginal community.

3.A person who treats another person solely by prayer or spiritual means in accordance with the tenets of the religion of the person giving the treatment. 2004, c.3, Sched.A, s.3(4).

Multiple facilities

(5)Subject to subsection (6) or an order of the Minister under subsection (8), a health information custodian that operates more than one facility described in one of the subparagraphs of paragraph 4 of the definition of “health information custodian” in subsection (1) shall be deemed to be a separate custodian with respect to personal health information of which it has custody or control as a result of or in connection with operating each of the facilities that it operates. 2004, c.3, Sched.A, s.3(5).

Single custodian

(6)Despite subsection (5), the following persons shall be deemed to be a single health information custodian with respect to all the functions described in the applicable paragraph, if any:

1.A person who operates a hospital within the meaning of the Public Hospitals Act and any of the facilities, programs or services described in paragraph 4 of the definition of “health information custodian” in subsection (1).

2.Repealed: 2016, c. 30, s. 43 (2).

3.Health information custodians or facilities that are prescribed. 2004, c.3, Sched.A, s.3(6); 2007, c.8, s.224(5); 2016, c. 30, s. 43 (2).

Application to act as one custodian

(7)A health information custodian that operates more than one facility described in one of the subparagraphs of paragraph 4 of the definition of “health information custodian” in subsection (1) or two or more health information custodians may apply to the Minister, in a form approved by the Minister, for an order described in subsection (8). 2004, c.3, Sched.A, s.3(7).

Minister’s order

(8)Upon receiving an application described in subsection (7), the Minister may make an order permitting all or some of the applicants to act as a single health information custodian on behalf of those facilities, powers, duties or work that the Minister specifies, subject to the terms that the Minister considers appropriate and specifies in the order, if the Minister is of the opinion that it is appropriate to make the order in the circumstances, having regard to,

(a)the public interest;

(b)the ability of the applicants to provide individuals with reasonable access to their personal health information;

(c)the ability of the applicants to comply with the requirements of this Act; and

(d)whether permitting the applicants to act as a single health information custodian is necessary to enable them to effectively provide integrated health care. 2004, c.3, Sched.A, s.3(8).

Scope of order

(9)In an order made under subsection (8), the Minister may order that any class of health information custodians that the Minister considers to be situated similarly to the applicants is permitted to act as a single health information custodian, subject to the terms that the Minister considers appropriate and specifies in the order, if the Minister is of the opinion that it is appropriate to so order, having regard to,

(a)the public interest;

(b)the ability of the custodians that are subject to the order made under this subsection to provide individuals with reasonable access to their personal health information;